Venafi is the market leading cybersecurity company in Next-Generation Trust Protection (NGTP). Venafi delivered the first trust protection platform to secure cryptographic keys and digital certificates that every business and government depend on for secure communications, commerce, computing, and mobility.

Venafi is the market leading cybersecurity company in Next-Generation Trust Protection (NGTP). Venafi delivered the first trust protection platform to secure cryptographic keys and digital certificates

Failure to protect keys and certificates keeps cyber-criminals undetected for extended periods of time, and enables them with the elevated privileges they need. Find out how to mitigate this new threat.

Remediate Flame MD5 Risks

Analyst Coverage

“Cybercriminals are known to steal SSH keys or manipulate which keys are trusted to gain access to source code and other valuable intellectual property” Read More

“Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates that can provide an attacker trusted status that evades detection.” Read More

"Basically, the enterprise is a sitting duck."

"PKi is under attack...Advanced and persistent adversaries go for keys"
Read More

"When there are many hundreds of certificates from a variety of certificate authorities, the only ecumenical [universal], nonproprietary provider of a certificate management solution is Venafi. Other CA management systems are biased toward the particular CA by, for example, only supporting renewals from that specific CA." Read More

"No CISO could consider having tens of thousands of unknown network ports open and have no way to control them. But that’s the alarming reality today with regards the trust established by keys and certificates..." Read More

"Organizations with roughly 200 or more documented X.509 certificates in use are high-risk candidates for unplanned expiry and having certificates that have been purchased but not deployed." Read More

"Technology critical to cloud computing is in clear and present danger...attacks on Secure Shell (SSH) keys present the most alarming threat arising from failure to control trust." Read More

“Just because something is digitally signed doesn't mean it can be trusted.”

“Enterprise awareness of attacks on keys and certificates is in its infancy; most don’t understand how to detect or respond to an attack.” Read More

What is Flame malware?

The recently discovered Flame malware demonstrates how MD5-based certificates can be exploited to perform man-in-the-middle and other attacks.

Background

Based on currently available information, Flame was a sophisticated piece of malware designed to gather intelligence information in Iran and the Middle East. The developers of Flame were able to create fraudulent Microsoft digital certificates due to Microsoft’s use of the weak MD5 algorithm (proven hackable in 2005). These fraudulent certificates were used as part of HTTP man-in-the-middle attacks to distribute and install the Flame malware rapidly as a bona fide Microsoft update by masquerading as the Windows Update service.

What Happened?

Summary: Flame impersonated Microsoft, loaded malware, and that malware opened a “door” that enabled its creators to steal information.

Sequence of events:

Microsoft certificate

Microsoft certificates based on MD5 hash algorithms were targeted

Certificate was remanufactured (using the cracked MD5 algorithm) which made it look like a genuine certificate

Hackers set up a man in the middle attack to get between Microsoft and the targeted machines

The targeted machines thought they were dealing directly with Microsoft

Licensing and update services were attacked and compromised

Microsoft licensing

Windows update

Code signing

Code was signed using fake certificate

Windows allowed the malware to run and install

Flame Malware

Stole small parts of files

Sent to over 80 different DNS (URLs)

If content looked valuable malware instructed to get more

In response to Flame, Microsoft issued an emergency patch that explicitly identified the fraudulent certificates as “Untrusted Publishers” within Windows. This patch, once implemented, should protect organizations from the specific Microsoft MD5 vulnerability that was exploited by the Flame developers. MD5-based certificates were the open door, or attack vector, that allowed Flame to work. Microsoft closed their door by rendering the Microsoft specific MD5 certificates, invalid.